19/12/2024

Why is the DORA Regulation important for citizens

In the financial sector, DORA is known as the Digital Operational Resilience Regulation and must be applied by all regulated activities in the sector: banks, payment service providers, issuers of crypto-assets and crypto-asset service providers, insurance companies, large insurance intermediaries, pension and investment funds, stock exchanges, brokers and central counterparties. It must also be applied by providers of information and communication services, as special obliged entities, particularly when it comes to the most significant ones, those which enable the operation of numerous financial institutions in a large number of EU Member States.

DORA Regulation (EU) 2022/2554 entered into force on 16 January 2023 and has applied since 17 January 2025. It is directly applicable, and in two years, following a series of additional documents that went through public consultation processes and were published by the European Commission, all financial institutions will be required to apply all measures and procedures for managing digital operational resilience.

The aim of regulations and directives so far has been financial stability of the sector and resilience to crises and changes in the economy and the environment that could lead to the loss of citizens’ property, i.e. instabilities that can affect states and groups of citizens, primarily as regards their financial position.

DORA is now introducing a single regulatory framework that now requires all financial institutions to demonstrate not only economic, but also digital resilience, for the benefit of all EU citizens.

DORA implementation timeline


Key DORA areas:

The Regulation is divided into and regulates the following areas:

1. ICT risk management;

2. ICT service providers risk management;

3. digital operational resilience testing;

4. ICT-related incidents;

5. exchange of information on threats and ICT-related incidents;

6. supervising critical ICT service providers.

Particular attention is paid to the requirement to report and process ICT-related incidents: 

  • Processes are established to determine the impact on business operations and records, and in particular to report incidents to national and EU supervisory authorities, according to precise criteria.
  • The financial institution will be obliged to report, within a short period of time immediately after detection, that an incident has occurred or is in progress, and to provide interim reports while handling the incident such as a complex cyber attack, which can last for days or weeks, from detection to the recovery of regular functions. 
  • At the end of the process, the financial institution must submit the final report providing a full insight into the impact on the business and number of clients, costs and losses in operation and new findings and lessons learned.

The processes introduced by DORA will be implemented using the templates provided, which enable a comparison of a series of data on the characteristics of incidents at EU as well as national levels.

TESTING

DORA requires the drawing up of an annual testing plan in line with each company’s materiality assessment and profile – which systems, measures and tools are needed to ensure that incident resilience is at a satisfactory level for a business framework deemed sufficient by the company’s management.

Testing reveals the weaknesses and vulnerabilities of the system are, as well as the readiness of the organization to face the incident and respond by introducing adequate measures, mitigate possible damage and ensure the recovery of business operations.

One of the common tools for such tests involves incident response exercises.

Hanfa has conducted such an exercise for 11 selected financial institutions significant with respect to their position and impact on the financial services market. This way, the companies had the opportunity to gain an insight into their actual organizational and response capabilities. Following the exercise, they carried out a thorough analysis and determined the areas showings room for improvement and further refined their work plans.

The DORA framework affects the ability of the entire industry to better cope with all the increasing ICT risks with the help of AI technologies, which offer new tools in business operations.

At a recent conference organised by Hanfa on this topic, the British consulting team of Thomas Murray Cyber gave a presentation on the analysis of ICT risk trends and presented an interesting view on the impact of AI in this context.


The picture shows that in the period before ChatGPT, APT attackers (as the most severe form of attacks) made up a smaller part of the pyramid, as did organized cybercrime. Most attacks were mild in form, performed by so-called ‘hacktivists’, individuals and amateurs who carry out less severe attacks using their knowledge of technology. After the arrival of ChatGPT, the share of the most serious attacks increased significantly.

Therefore, DORA is of benefit to all of us since, as a comprehensive risk management framework, it keeps up with the development of technology through its response processes and requires financial institutions to be constantly prepared for cyber challenges and to regularly monitor and improve their response capabilities.

SHARE THE ARTICLE

Other news items

All News
COOKIES

We need the necessary cookies in order for the site to function properly and in order to maintain security standards as much as possible by complying with all applicable regulations.

This category of cookies can also be called so-called. third-party cookies. Statistical cookies also belong to the group of functional cookies that allow us to store previously entered information (such as username or language) on the web service and to improve the possibility of providing a better service by tracking analytics or visit statistics. We must inform you that when using this category of cookies, data is transferred to third countries.